Researchers outwit Apple, plant malware in the App Store

Unlike Android, Apple's iOS has been remarkably free of malicious apps, due to the Cupertino, Calif. company's mandate that only apps from its App Store can be installed on an unmodified iPhone. Apple also conducts a review before approving an app, purportedly looking for malicious code or unsanctioned operations. It rejects those it believes are suspicious or that sport illegal functions.

But the review process, even if it was beefed up with personnel and the analysis done with different tools, would not stymie Jekyll apps, Wang and his team wrote in their paper.

"We argue that the task of making all apps in App Store vulnerability-free is not only theoretically and practically difficult, but also quite infeasible to Apple from an economic perspective because such attempts will significantly complicate the review tasks, and therefore, prolong the app review and approval process that is already deemed low in throughput by third-party app developers," they wrote.

With little chance of catching Jekyll apps during review, Apple should enhance iOS security to stymie such masquerading software at runtime, or when it's on an iPhone and active, Wang said.

They made several recommendations, including improving ASLR and providing a finer-grained permission model, but pointed out that hackers may be able to work around those defenses, too.

One way Apple could monitor apps at run time and thus stop Jekylls, was with "control-flow integrity" (CFI), an advanced anti-exploitation technology that requires code execution to follow pre-defined paths, and no others.

Ironically, Apple's rival Microsoft has been at the forefront of CFI research, with papers from its scientists going back to 2005. And last year, the winner of Microsoft's BlueHat Prize was awarded $250,000 for coming up with a "lightweight form of control flow integrity" to protect Windows against ROP, or "return-oriented programming" attacks.

"CFI is a very hot research topic right now," said Wang.

Wang and his team reported their findings to Apple in March, long before the paper was made public. "They said they appreciated the report," said Wang. But he was, like everyone else, in the dark about what Apple might do to block Jekylls from reaching the App Store, or failing that, from executing on iPhones.

Apple did not reply to a request for comment, but elsewhere the company has said it made changes in iOS in response.

According to Wang, iOS 7 is still vulnerable to the technique of hiding vulnerabilities in a Jekyll app and exploiting them after approval to do dirty work.

"However, Apple did enhance its sandbox policies," Wang said Tuesday in an email reply to follow-up questions. "Some of our attack instances no longer work, but we need to further figure our whether iOS 7 completely fixes the issues."